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Abstract 


The  National  Defense  Authorization  Act  for  Fiscal  Year  2012  gave  the  Department  of 
Defense  the  statutory  authority  to  conduct  offensive  cyberoperations,  subject  to  the  Law  of 
Armed  Conflict.  Four  major  types  of  offensive  cyberoperations  include  destroying  data  on  a 
network  or  a  system  connected  to  a  network,  being  an  active  member  of  a  network  and 
generating  bogus  traffic,  clandestinely  altering  data  in  a  database  stored  on  a  network  and 
degrading  or  denying  service  on  a  network.  Conducting  these  operations,  as  opposed  to 
cyberexploitation,  will  require  military  planners  to  analyze  potential  actions  through  the  lens  of 
the  Law  of  Armed  Conflict’s  constraint  elements  of  military  necessity,  proportionality,  perfidy, 
distinction  and  neutrality.  The  use  of  a  recognized  analytical  framework  lends  legitimacy  to 
actions  undertaken  by  the  United  States,  and  shows  a  continued  commitment  to  recognized  rules 
of  international  law.  Utilizing  the  present  parameters  of  the  existing  LOAC  framework,  parallel 
legal  and  historical  analogies  and  reasonable  interpretations  and  applications  of  those  analogies, 
the  United  States  should  legitimately  be  able  to  conduct  the  four  types  of  offensive 
cyberoperations. 


IV 


Introduction 


On  August  7,  2008,  the  country  of  Georgia  launched  an  invasion  into  South  Ossetia  in 
response  to  growing  tension  with  Russia  over  the  disputed  region’s  future.^  This  conflict  had  its 
roots  in,  inter  alia,  Georgia’s  loss  of  South  Ossetia  to  Russia  in  1992  and  the  subsequent 
installation  of  unrecognized  pro-Russian  governments.^  The  war  proceeded  down  a  recognized 
path  of  small  wars  between  nation  states.  Georgian  forces  began  an  artillery  attack  against  a 
major  town  in  the  South  Ossetia  region,  and  the  Russians  responded  with  a  naval  blockade  of 
Georgian  ports,  the  deployment  of  combat  troops  in  South  Ossetia  and  bombing  missions  into 
Georgia.^  Russia  soon  gained  the  upper  hand,  and  after  five  days  of  fighting  an  EU  brokered 
ceasefire  took  effect."^  Besides  Georgia’s  failure  to  capture  South  Ossetia,  the  war  resulted  in 
over  100,000  displaced  civilians,  400  civilians  killed  and  200  Georgian  and  64  Russian  military 
casualties.  Both  sides  continued  to  blame  each  other  for  provoking  the  war. 

At  first  blush,  this  war  seems  rather  unremarkable.  However,  this  was  a  war  unlike  any 
other.  Aeeording  to  David  Hollis,  “this  appears  to  be  the  first  case  in  history  of  a  coordinated 
cyberspace  domain  attack  synchronized  with  major  combat  actions  in  the  other  warfighting 
domains  (consisting  of  land,  air,  sea,  and  space). From  pre-invasion  streams  of  data  containing 


^  David  Hollis,  Cyberwar  Case  Study:  Georgia  2008,  Small  Wars  Journal  Blog  (January  6,  2011)  found  at 
http://smallwarsjournal.eom/jml/art/cyberwar-case-study-georgia-2008,  1. 

^  Ibid. 

^  Ibid. 

Paul  Ames,  “EU:  Most  Russian  cease-fire  allegations  overblown,”  USA  Today,  24  October  2008, 
http://usatoday30.usatoday.eom/news/world/2008-10-24-2937695828_x.htm  (accessed  29  October  2013). 

^  Bmno  Waterfield,  “EU  blames  Georgia  for  starting  war  with  Russia,”  The  Telegraph,  30  September  2009, 
http://www.telegraph.co.uk/news/worldnews/europe/georgia/6247620/EU-blames-Georgia-for-starting-war-with- 
Russia.html  (accessed  29  October  2013). 

^  C.J.  Chivers,  “Georgia  Offers  Fresh  Evidence  on  War’s  Start,”  New  York  Times,  15  September  2008, 
http://www.nytimes.eom/2008/09/16/world/europe/16georgia.html ?_r=2&oref=slogin&  (accessed  29  October 
2013). 


^  Hollis,  2. 


o 

“win+love+in+Rusia”  directed  towards  Georgian  government  sites  to  coordinated  attacks 
overloading  and  disabling  Georgian  servers,^  the  U.S.  Cyberconsequences  Unit  report  noted 
Russian  organized  crime  and  other  civilians,  without  any  apparent  direct  links  to  the  Russian 
military  or  government,  carried  out  much  of  the  cyberattacks  against  the  Georgian  government. 
The  same  report  noted  “54  web  sites  in  Georgia  related  to  communications,  finance,  and  the 
government  were  attacked  by  rogue  elements  within  Russia.  The  bad  guys  weren't  working  for 
the  Russian  government  or  military  but  it  is  safe  to  say  that  there  had  to  be  some  complicity 
here.”^^  Also,  “experts  say  evidence  suggests  that  Russian  officials  did  little  to  discourage  the 
online  assault,  which  was  coordinated  through  a  Russian  online  forum  that  appeared  to  have 
been  prepped  with  target  lists  and  details  about  Georgian  Web  site  vulnerabilities  well  before  the 
two  countries  engaged  in  a  brief  but  deadly  ground,  sea  and  air  war.”^^ 

This  war  will  not  be  the  last  of  its  type.  Why?  Cyberattacks  enjoy  two  significant 
advantages.  Namely,  they  are  relatively  cheap  to  employ,  and  it  is  nearly  impossible  to  determine 
responsibility  for  them.^^  Bill  Woodcock,  the  research  director  at  Packet  Clearing  House,  a 
nonprofit  internet  research  organization,  remarked  “you  could  fund  an  entire  cyberwarfare 
campaign  for  the  cost  of  replacing  a  tank  tread,  so  you  would  be  foolish  not  to.”^"^ 


^  John  Markoff,  “Before  the  Bombs,  Cyberattacks.”  New  York  Times,  August  13,  2008,  sec.  Al. 

^  Ibid. 

Mark  Rutherford,  "Report:  Russian  mob  aided  cyberattacks  on  Georgia,"  CNET News  (18  August  2009) 
found  at  http://news.cnet.eom/8301-13639_3-10312708-42.html  (accessed  on  29  October  2013). 

Jon  Oltsik  “Russian  Cyber  Attack  on  Georgia:  Lessons  Learned?”  Network  World,  (17  August  2009), 
found  at:  http://www.networkworld.com/community/node/44448  (accessed  on  29  October  2013). 

Brian  Krebs,  “Report:  Russian  Hacker  Forums  Fueled  Georgia  Cyber  Attacks,”  Washington  Post  (16 
October  2008),  found  at  http://voices.washingtonpost  .com/securityfix/2008/10/report_russian_hacker_forums_ 
forums_f.html  (accessed  on  29  October  2013). 
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’  Markoff,  “Before  the  Bombs,  Cyberattacks,”  Al. 
Ibid. 
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The  United  States  has  embraced  the  idea  of  conducting  offensive  cyberwarfare/^ 
Offensive  cyberoperations,  “executed  by  DoD's  Cyber  Command,  either  in  support  of 
conventional,  kinetic  war  fighting  or  on  a  stand-alone  basis”^^  is  one  relatively  new  tool  in  the 
military  instrument  of  power  toolbox.  Steven  Bradbury  underscores  “the  fact  that  the  (Obama) 
administration  is  standing  up  a  unified  Cyber  Command  and  putting  such  focus  and  resources 
into  it  suggests  that  the  President  has  largely  decided  to  conduct  offensive  cyber  operations 
through  the  military  option.”^’  So,  given  the  fact  that  there  is  statutory  authority  to  conduct 
offensive  cyberoperations  as  well  as  a  significant  investment  in  doing  so,  should  one  look  at  the 
legal  underpinnings  of  fighting  a  war  in  this  brave,  new  domain?  The  very  statutory  authority 
that  allows  the  Department  of  Defense  to  conduct  offensive  operations  in  cyberspace  also  places 
on  it  the  burden  to  observe  “the  policy  principles  and  legal  regimes  that  the  Department  follows 
for  kinetic  capabilities,  including  the  law  of  armed  conflict.”^^  This  research  paper  will  look  at 
conducting  offensive  cyberoperations  thru  the  lens  of  the  Law  of  Armed  Conflict  (LOAC).  First, 
ni  discuss  LOAC.  Second,  I’ll  explain  offensive  cyberoperations,  and  differentiate  between 
cyberattack  and  cyberexploitation,  Next,  I’ll  identify  four  types  of  offensive  cyberoperations. 
Finally,  I’ll  use  the  LOAC  elements  of  constraint  to  analyze  the  utility  and  propriety  of  offensive 
cyberoperations. 


National  Defense  Authorization  Act  for  Fiscal  Year  2012,  Pub.  L.  No.  1 12-81,  §954,  125  Stat.  1298, 
1551  (2011).  “Congress  affirms  that  the  Department  of  Defense  has  the  capability,  and  upon  direction  by  the 
President  may  conduct  offensive  operations  in  cyberspace  to  defend  our  Nation,  Allies  and  interests,  subject  to — (1) 
the  policy  principles  and  legal  regimes  that  the  Department  follows  for  kinetic  capabilities,  including  the  law  of 
armed  conflict;  and  (2)  the  War  Powers  Resolution  (50  U.S.C.  §1541  et  seq.).” 

Steven  G.  Bradbury,  “Keynote  Address:  The  Developing  Legal  Framework  for  Defensive  and  Offensive 
Cyber  Operations,”  Harvard  National  Security  Journal,  vol.  2:  591,  602  (2011). 

Ibid.,  at  607. 

National  Defense  Authorization  Act  for  Fiscal  Year  2012,  Pub.  L.  No.  1 12-81,  §954,  125  Stat.  1298, 
1551  (2011).  See  Note  15. 


3 


Thesis 


This  research  paper  uses  a  qualitative  approach  to  argue  that  the  United  States  should  be 
able  to  conduct  offensive  cyberoperations  within  the  jus  in  hello  parameters  of  the  Law  of 
Armed  Conflict. 
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Foundational  Assumptions 

It  is  important  at  the  outset  to  establish  some  assumptions  of  this  paper.  First,  the  main 
body  of  relevant  international  laws,  and  the  body  of  laws  most  pertinent  for  the  discussion  of  this 
paper,  is  LOAC.^^  Second,  offensive  cyberoperations  during  a  state  of  international  armed 
conflict  between  two  state  actors  will  be  examined.  Therefore  only  the  portions  of  the  LOAC 
(jus  in  bello)  that  address  ongoing  hostilities  will  be  explored.^^  Third,  the  effects  rather  than  the 
modality  of  offensive  cyberoperations  are  the  appropriate  starting  point  for  understanding  how 
LOAC  applies  to  it. 


For  further  discussion  on  ethical  frameworks  such  as  the  Just  War  Theory  applicability  to  cyberwarfare, 
see  Randall  R.  Dipert,  “The  Ethics  of  Cyberwarfare,”  Journal  of  Military  Ethics  vol.  9,  #4:  384  (2010),  and  Cook’s 
reply  at  James  Cook,  “Cyberation  and  Just  War  Doctrine:  A  Response  to  Randall  Dipert,”  Journal  of  Military  Ethics 
vol.  9,  #4:  411  (2010)  as  well  as  Kristen  Tullos,  Symposium:  International  Law  and  The  Internet:  Adapting  Legal 
Erameworks  in  Response  to  Online  Warfare  and  Revolutions  Eueled  by  Social  Media:  Erom  Cyber  Attacks  to  Social 
Media  Revolutions:  Adapting  Legal  Erameworks  to  the  Challenges  and  Opportunities  of  New  Technology,  Emory 
International  Law  Review  vol.  26:  733  (2012),  citing  Eric  Talbot  Jensen,  Cyber  Deterrence,  Emory  International 
Law  Review  vol.  26:  773  (2012). 

For  non-state  actor  involvement  in  offensive  cyberoperations,  see  Erick  Mudrinich,  Article:  Cyber  3.0: 
The  Department  of  Defense  Strategy  for  Operating  in  Cyberspace  and  the  Attribution  Problem,  Air  Force  Law 
Review  vol.  68:  167  (2012). 
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The  Law  of  Armed  Conflict  (LOAC) 


LOAC  addresses  two  fundamental  questions  regarding  the  conduct  of  armed  conflict. 
First,  when  can  a  nation  state  legally  use  force  against  another;  and  second,  once  hostilities  have 
commenced,  what  are  the  set  of  rules  that  govern  the  nation  state  belligerents?^^  Jus  ad  helium  is 
the  set  of  laws  that  apply  when  one  nation  state  can  legally  use  force  against  another.^^  Put 
another  way,  it  refers  to  “those  established  ‘conflict  management’  norms  and  procedures  that 
dictate  when  a  state  may— and  may  not— legitimately  use  force  as  an  instrument  of  dispute 

no 

resolution.”  The  law  governing  when  nations  are  involved  in  international  armed  conflict, 
which  is  wholly  distinct  and  separate  from  jus  ad  helium,  is  known  as  jus  in  hello?"^  The  Hague 
Conventions  of  1899  and  1907,  the  Geneva  Conventions  and  customary  international  law  serve 
as  foundational  support  of  modem  jus  in  hello  interpretations.^^  Customary  international  law  is 
one  of  two  sources  of  international  law,  with  the  other  source  being  treaties.  Customary 
international  law  springs  “from  a  general  and  consistent  practice  of  states  followed  by  them  from 
a  sense  of  legal  obligation.”  Bradley  and  Goldsmith  note  that  “despite  its  relatively  amorphous 
nature,  CIL  [customary  international  law]  has  essentially  the  same  binding  force  under 

90 

international  law  as  treaty  law.” 


^  Anna  Wortham,  Note:  Should  Cyber  Exploitation  Ever  Constitute  a  Demonstration  of  Hostile  Intent  That 
May  Violate  UN  Charter  Provisions  Prohibiting  the  Threat  or  Use  ofEorce?  Federal  Communications  Law  Journal 
vol.  64:  643,  646  (May  2012). 

Ibid. 

Ibid. 

George  K.  Walker,  Information  Warfare  and  Neutrality,  Vanderbilt  Journal  of  Transnational  Law  vol.  33 
no.  5:  1079,  1090  (November  2000). 

William  A.  Owens,  Kenneth  W.  Dam  &  Herbert  S.  Lin  eds..  Technology,  Policy,  Law,  and  Ethics 
Regarding  U.S.  Acquisition  and  Use  of  Cyber  attack  Capabilities,  (Washington,  DC:  National  Academics  Press, 
2009),  246. 

Curtis  A.  Bradley  and  Jack  L.  Goldsmith,  Customary  International  Law  as  Eederal  Common  Law:  A 
Critique  of  the  Modern  Position,  Harvard  Law  Review  vol.  110,  no.  4:  815,  817  (February  1997). 

Louis  Henkin,  ed.  Restatement  of  the  Law  Third,  The  Loreign  Relations  Law  of  the  United  States 
(Philadelphia,  PA:  American  Law  Institute,  1989),  §102(2). 

Bradley  and  Goldsmith,  818,  citing  Restatement  of  the  Law  Third,  The  Loreign  Relations  Law  of  the 
United  States,  §102,  comment). 
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Offensive  Cyberoperations,  Cyberattack  and  Cyberexploitation 

Offensive  cyberoperations  cover  a  wide  range  of  computer-based  activities  aimed  at 
disabling  or  disrupting  an  adversary’s  ability  to  use  computer  based  resources  or  assets  or  to 
defend  a  nation’s  own  network  against  exploitation.  Offensive  cyberoperations  can  range  from 
activities  such  as  collecting  or  copying  data  from  foreign  computer  systems  and  databases  to 
disrupting  computer  systems,  denying  its  use  by  others  and  even  covert  action  conducted  by 
intelligence  agencies  aimed  at  damaging  an  adversary’s  computer  systems.  As  noted  earlier, 
offensive  cyber  operations  will  primarily  be  conducted  through  the  military  instrument  of 
power.^°  Given  this  current  military  emphasis  buttressed  by  the  fact  that  the  military  now  has  the 
statutory  authority  to  conduct  offensive  cyberoperations,  it  will  be  vitally  important  for  planners 
and  executors  of  these  operations  to  know  the  operational  parameters  to  ensure  the  legitimacy  of 
their  actions  and  resultant  consequences. 

The  terms  cyberattack  and  cyberexploitation  are  often  used  interchangeably,  but  they  are 
different.  Wortham  points  out  that  “cyber  attacks  and  cyber  exploitations  are  the  two  forms  of 
hostile  actions  that  may  be  taken  against  a  computer  system  or  network.  Cyber-attack  and  cyber 
exploitation  are  two  distinct  actions.”^ ^  Cyberattack  refers  to  refers  to  deliberate  actions  to  alter, 
disrupt,  deceive,  degrade,  or  destroy  computer  systems  or  networks  or  the  information  and/or 
programs  resident  in  or  transiting  these  systems  or  networks. One  of  the  objects  of 
cyberattacks  is  to  make  an  adversary  think  that  their  computer  systems  or  data  related  to  those 
systems  are  unreliable  or  unavailable  for  use,  thereby  degrading  an  adversary’s  ability  to  conduct 

Steven  G.  Bradbury,  Keynote  Address:  The  Developing  Legal  Framework  for  Defensive  and  Offensive 
Cyber  Operations,  Harvard  National  Security  Law  Journal  vol.  2;  591,  602  (2011). 

Ibid.,  at  607. 

Anna  Wortham,  Note:  Should  Cyber  Exploitation  Ever  Constitute  a  Demonstration  of  Hostile  Intent  That 
May  Violate  UN  Charter  Provisions  Prohibiting  the  Threat  or  Use  ofPorce?  Federal  Communications  Law  Journal 
vol.  64:  643,  646  (May  2012). 

Owens,  Dam  and  Lin,  10-11. 
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armed  conflict  effectively.  Cyberexploitation  is  usually  conducted  for  the  “purpose  of  obtaining 
information  resident  on  or  transiting  through  an  adversary's  computer  systems  or  networks. 
Wortham  notes  that  “the  main  difference  between  cyber-attack  and  cyber  exploitation  is  that 
cyber-attack  is  destructive  in  nature  while  cyber  exploitation  is  focused  on  intelligence  gathering 
and,  in  order  to  be  covert,  purposely  does  not  try  to  affect  the  normal  processes  of  the  computer 
or  network  exploited.”  In  fact,  “the  best  cyberexploitation  is  one  that  such  a  user  never 
notices.”^^ 


Wortham,  646. 

Owens,  Dam  and  Lin,  1 1 . 
Wortham,  646. 

Owens,  Dam  and  Lin,  1 1 . 


8 


Four  Types  of  Offensive  Cyber  Operations 

For  purposes  of  this  paper,  I  will  confine  offensive  cyberoperations  to  four  general  types 


of  actions.  They  are  destroying  data  on  a  network  or  a  system  connected  to  a  network,  being  an 
active  member  of  a  network  and  generating  bogus  traffic,  clandestinely  altering  data  in  a 
database  stored  on  a  network  and  degrading  or  denying  service  on  a  network.  I’ll  briefly  describe 
each  one  of  these  types  of  actions. 

Destroying  Data  on  a  Network  or  a  System  Connected  to  a  Network 

The  first  type  of  offensive  cyberoperation  is  destroying  data  on  a  network  or  a  system 
connected  to  a  network.  In  this  type  of  offensive  cyberoperation,  a  belligerent  gains  access  to  an 
enemy’s  network  to  delete  data  or  reformat  files  found  on  system  hard  drives.  This  type  of 
offensive  cyberoperation  could  cripple  any  sort  of  function  whose  proper  operation  depends  on 
being  connected  to  a  network  or  data  connected  to  a  network,  such  as  a  power  grid.^^ 

Being  an  Active  Member  of  a  Network  and  Generating  Bogus  Traffic 

The  second  type  of  offensive  cyberoperation  is  being  an  active  member  of  a  network  and 
generating  bogus  traffic.  In  this  type  of  offensive  cyberoperation,  a  belligerent  gains  access  to  an 
adversary’s  network  and  masquerades  as  a  trusted  person  or  source.  An  example  might  be  a 
belligerent  who  may  “masquerade  as  the  adversary’s  national  command  authority  or  as  another 
senior  official  or  agency  and  issue  phony  orders  or  pass  faked  intelligence  information.’’'^'^ 
Clandestinely  Altering  Data  in  a  Database  Stored  on  a  Network 

The  third  type  of  offensive  cyberoperation  is  to  clandestinely  alter  data  in  a  database 
stored  on  a  network.  In  this  type  of  offensive  cyberoperation,  a  belligerent  gains  access  to  an 


37  ■ 


Herbert  S.  Lin,  Offensive  Cyber  Operations  and  the  Use  of  Force,  Journal  of  National  Security  Policy 
Law,  vol.  4:  63,  69-70  (2010). 


40 


Ibid. 

Ibid. 

Ibid. 
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adversary’s  network  and  changes,  but  doesn’t  destroy,  data  stored  on  a  database  or  a  network."^^ 
An  example  might  be  a  belligerent  gaining  access  to  a  database  of  aircraft  parts  and  changing  the 
condition  codes  on  various  items  to  wrongly  reflect  that  unserviceable  items  are  serviceable  and 
could  be  used  to  repair  jet  engines. 

Degrading  or  Denying  Service  on  a  Network 

The  fourth  type  of  offensive  cyberoperation  is  to  degrade  or  deny  service  on  a  network. 

In  this  type  of  offensive  cyberoperation,  a  belligerent  attempts  “to  degrade  the  quality  of  service 
available  to  network  users  by  flooding  communications  channels  with  large  amounts  of  bogus 
traffic. An  example  is  an  e-mail  server  being  flooded  with  so  many  e-mail  messages  that  the 
server  crashes  and  becomes  inoperable. 


41 

42 


Ibid. 

Ibid. 
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LOAC  Elements  of  Constraint  Analysis  of  Offensive  Cyberattacks 

Owens,  Dam  and  Lin  lay  out  six  modem  constraints  categories  and  definitions  on  the 
conduct  of  belligerents  during  international  armed  conflict.  These  constraints  are  military 
necessity,  proportionality,  perfidy,  distinction,  neutrality  and  discrimination.  They  serve  as  a 
useful  analytical  framework  to  determine  the  propriety  of  conduct  when  nation  states  are 
engaged  in  various  operations  of  armed  conflict,  including  offensive  cyberoperations.  I  will 
utilize  this  framework,  albeit  with  one  minor  modification. 

Military  Necessity 

Military  necessity  demands  that  valid  targets  are  limited  to  those  that  make  a  direct 
contribution  to  the  enemy’s  war  effort,  or  those  whose  damage  or  destmction  would  produce  a 
military  advantage  because  of  their  nature,  location,  purpose,  or  use,  or  in  other  words,  a  military 
objective.'^^  Schmitt  asserts  the  problem  regarding  interpreting  what  is  a  “military  objective” 

“lies  in  ascertaining  the  required  nexus  between  the  object  to  be  attacked  and  military 
operation.”"^"^  The  International  Committee  of  the  Red  Cross  (ICRC)  narrowly  defines  the 
definition  of  military  necessity  contained  in  Geneva  Convention  Additional  Protocol."^^ 
According  to  Schmitt,  the  ICRC’s  Commentary  to  the  Protocol  would  exclude  “attacks  that  offer 
only  a  ‘potential  or  indeterminate’  advantage”  as  not  establishing  a  clear  military-civilian  nexus 
justifying  military  necessity.'^^'^^  Schmitt  notes  that  the  United  States  takes  a  different  tack  on  the 


^  Owens,  Dam  and  Lin,  246. 

Michael  N.  Schmitt.  Wired  Warfare:  Computer  Network  Attack  and  Jus  in  Bello.  International  Review  of 
the  Red  Cross  vol.84,  no.  846:  365,  380  (2002). 
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Ibid. 


’  Additional  Protocol  I  to  the  Geneva  Convention  of  12  August  1949,  and  Relating  to  the  Protection  of 
Victims  of  International  Armed  Conflicts,  Art.  52(2),  12  December  1977.  (downloaded  10  November  2013  at 
http://www.icrc.org/applic/ihl/ihl.nsf/Article.xsp?action=openDocument&documentId=F08A9BC78AE360B3C125 
63CD0051DCD4).  “Attacks  shall  be  limited  strictly  to  military  objectives.  In  so  far  as  objects  are  concerned, 
military  objectives  are  limited  to  those  objects  which  by  their  nature,  location,  purpose  or  use  make  an  effective 
contribution  to  military  action  and  whose  total  or  partial  destruction,  capture.” 
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Schmitt,  380. 
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interpretation  of  military  objective.  The  U.S  would  include  economic  targets  that  “indirectly  but 
effectively  support  and  sustain  the  enemy’s  war-fighting  capability,  a  particularly  expansive 
interpretation.”'^^  This  expansive  interpretation  is  also  reflected  in  joint  doctrine  as  reflected  in 
Joint  Publication  3-60,  which  engenders  “debates  about  attacks  on  enemy  morale,  information 
operations,  interconnected  systems,  and  strategic  versus  tactical-level  advantages,  to  name  a  few 
areas. 

For  all  four  types  of  offensive  cyberoperations,  the  analysis  is  the  same:  does  the  targeted 
system  bear  some  nexus  between  the  object  to  be  attacked  and  military  operation  given  the 
United  States  expansive  definition  of  military  objective?  As  more  and  more  of  a  country’s 
economy  become  dependent  on  the  internet,  from  purely  a  military  objective  standpoint  this  may 
broaden  the  amount  of  targets  that  can  be  pursued  by  American  offensive  cyberoperations. 
Indirect  targets  such  as  financial  institutions  that  support  an  enemy’s  military  operations,  energy 
sources  used  to  sustain  military  operations  and  other  institutions  that  provide  support  to  an  armed 
conflict  could  be  targeted.  There  may  be  other  legal  and  political  considerations  that  would 
militate  attacking  such  targets,  but  from  a  military  objective  standpoint  these  would  be  legitimate 
targets  for  offensive  cyberoperations.  However,  there  are  limits  to  what  may  be  considered  as 
acceptable  targets.  For  example,  attacking  networks  associated  with  certain  categories  of  objects, 
such  as  religious  and  medical  buildings  and  infrastructures  would  be  prohibited  since  they  enjoy 


Commentary  on  the  Additional  Protocols  of  8  June  1977  to  the  Geneva  Conventions  of  12  August  1949, 
ICRC,  Geneva,  1987,  para.  2024,  (downloaded  10  November  2013  at 

http://www.icrc.org/applic/ihl/ihl.nsf/Comment.xsp?viewComments=LookUpCOMART&articleUNID=F08A9BC7 
8AE360B3C12563CD0051DCD4).  “Finally,  destruction,  capture  or  neutralization  must  offer  a  ’  definite  military 
advantage  '  in  the  circumstances  ruling  at  the  time.  In  other  words,  it  is  not  legitimate  to  launch  an  attack  which  only 
offers  potential  or  indeterminate  advantages.  Those  ordering  or  executing  the  attack  must  have  sufficient 
information  available  to  take  this  requirement  into  account;  in  case  of  doubt,  the  safety  of  the  civilian  population, 
which  is  the  aim  of  the  Protocol,  must  be  taken  into  consideration.” 

Schmitt,  380-381,  citing  The  Commander’s  Handbook  on  the  Law  of  Naval  Operations  (NWP  1-14M, 
MWCP  5-2.1,  COMDTPUB  P5800.7),  para  8.1.1  (1995). 

Law  of  Armed  Conflict  Deskbook,  International  and  Operational  Law  Department,  (Charlottesville,  VA: 
The  United  States  Army  Judge  Advocate  General's  Legal  Center  and  School,  2012),  138. 
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special  protection  and  under  usual  circumstances  are  immune  from  being  targeted  by 
belligerents.^^ 

Proportionality 

Proportionality  determinations  are  analyzed  through  the  prism  of  the  Geneva  Convention 
Additional  Protocol.  “An  attack  which  may  be  expected  to  cause  incidental  loss  of  civilian  life, 
injury  to  civilians,  damage  to  civilian  objects,  or  a  combination  thereof,  which  would  be 
excessive  in  relation  to  the  concrete  and  direct  military  advantage  anticipated”  violates  the 
principle  of  proportionality.  Proportionality  would  not,  per  se,  prohibit  the  use  of  the  four  types 
of  offensive  cyberoperations.  Rather,  “the  prohibition  is  on  the  death,  injury,  and  destruction 

CO 

being  excessive;  not  on  the  attack  causing  such  results.” 

Proportionality  should  also  be  examined  from  the  doctrine  of  Double  Effect  standpoint. 
Walzer  explains  than  when  military  planners  consider  attacking  a  target,  the  attacker  must  intend 
to  hit  the  target,  and  that  the  attacker  must  not  intend  to  harm  civilians. In  fact,  Walzer  stresses 
that  “it  is  morally  necessary  to  take  such  measures,  that  is,  to  be  careful  in  the  strongest  sense, 
even  if  it  appears  likely  that  the  number  of  deaths  caused  by  the  attack  would  not  be 


(Look  at  footnote  47  format)  The  1949  Geneva  Convention  I,  Article  19:  “Fixed  establishments  and 
mobile  medical  units  of  the  Medical  Service  may  in  no  circumstances  be  attacked,  but  shall  at  all  times  be  respected 
and  protected  by  the  Parties  to  the  conflict.  Should  they  fall  into  the  hands  of  the  adverse  Party,  their  personnel  shall 
be  free  to  pursue  their  duties,  as  long  as  the  capturing  Power  has  not  itself  ensured  the  necessary  care  of  the 
wounded  and  sick  found  in  such  establishments  and  units.  The  responsible  authorities  shall  ensure  that  the  said 
medical  establishments  and  units  are,  as  far  as  possible,  situated  in  such  a  manner  that  attacks  against  military 
objectives  cannot  imperil  their  safety.” 

Additional  Protocol  I  to  the  Geneva  Convention  of  12  August  1949,  and  Relating  to  the  Protection  of 
Victims  of  International  Armed  Conflicts,  Art.  51(5),  12  December  1977.  (Downloaded  16  November  2013  at 
http://www.icrc.org/ihlAVebART/470-750065). 

Law  of  Armed  Conflict  Deskbook,  International  and  Operational  Law  Department,  The  United  States 
Army  Judge  Advocate  General's  Legal  Center  and  School,  Charlottesville,  VA  (2012),  149. 

Michael  Walzer,  “Responsibility  and  Proportionality  in  State  and  Nonstate  Wars,”  Parameters  vol.  39: 
48-49  (Spring  2009). 
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‘disproportionate  to’  whatever  the  relevant  measure  might  be.  The  attacking  force  must  protect 
civilians  as  best  they  can — ^period.  That  is  their  moral  responsibility.”^^ 

Schmitt  notes  two  problems  concerning  offensive  cyberoperations  and  proportionality. 
“A  balance  must  be  struck  between  suffering  and  damage  versus  military  advantage  without  a 
common  system  of  valuation.  There  aren’t  any  ‘right’  answers,  and  the  answers  are  always 
contextual  depending  on  what  is  going  on  at  the  time  of  hostilities.”  The  Commentary  to  the 
Additional  Protocols  note  the  difficulty  and  ambiguity  as  well,  saying  “putting  these  provisions 
into  practice,  or,  for  that  matter,  any  others  in  Part  IV,  will  require  complete  good  faith  on  the 
part  of  the  belligerents,  as  well  as  the  desire  to  conform  with  the  general  principle  of  respect  for 
the  civilian  population.”^’ 

The  proportionality  analysis  is  also  made  more  difficult  by  the  possibility  of  second-tier 
effects.  “The  secondary  effects  of  a  cyber  attack  can  be  profound  and,  depending  on  whether  the 
attack  extends  beyond  its  intended  target  in  a  significant  way,  can  violate  the  principle  of 
proportionality;  therefore,  one  should  not  trivialize  its  impact  in  a  time  of  war.”^^  However, 
Richardson  points  out  that  in  the  cyber  realm,  direct  injury,  death,  damage,  or  destruction  from 
an  attack  is  rare  -  at  least  as  of  201 1  -  whether  aimed  at  civilian  or  military  objectives.  Direct 
harm  to  people  from  a  virus  infecting  a  computer  -  as  distinguished  from  a  denial  of  service 
attack  -  has  not  been  documented.”^^  In  addition,  Schmitt  points  out  that  the  use  of  offensive 
cyberoperations  may  actually  work  to  decreasing  the  size  and  scope  of  collateral  damage  and 


Ibid.,  49. 

Schmitt,  392. 

Commentary  on  the  Additional  Protocols  of  8  June  1977  to  the  Geneva  Conventions  of  12  August  1949, 
ICRC,  Geneva,  1987,  para.  1978  (Downloaded  16  November  2013  at 

http://www.icrc. org/applic/ihl/ihLnsf/Comment.xsp?viewComments=LookUpCOMART&articleUNID=4BEBD992 
0AE0AEAEC12563CD0051DC9E). 

John  Richardson,  Article:  Stuxnet  as  Cyberwarfare:  Applying  the  Law  of  War  to  the  Virtual  Battlefield, 
John  Marshall  Journal  of  Computer  &  Information  Law  vol.  29:  1,  24  (Eall,  2011). 

Ibid. 
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incidental  injury  by  merely  “turning  off’  or  interrupting  an  enemy’s  target  as  opposed  to 
destroying  it.^*^  Instead  of  bombing  an  airfield,  air  traffic  control  can  be  interrupted  for  short 
periods  of  time.  The  same  is  true  for  power  production,  distribution  and  communication  systems 
and  industrial  plants.  Intermpted  or  turned  off  functions  can  be  brought  back  online  soon  after 
the  need  for  its  inability  to  operate  is  over,  thereby  minimizing  the  deleterious  effects  on  the 

f\  1 

civilian  population  and  obviating  the  need  to  rebuild  destroyed  facilities. 

Perfidy 

When  a  belligerent  “seeks  to  deceive  an  enemy  into  believing  that  he  is  obligated  under 
the  law  of  armed  conflict  to  extend  special  protection  to  a  friendly  asset  when  such  is  not  the 
case,”  the  belligerent  commits  the  prohibited  act  of  perfidy.  Such  a  violation  is  considered  a 
“grave  breach”  of  international  law.  Certain  categories  of  objects  and  people,  such  as  religious 
buildings,  medical  facilities  medical  personnel  and  prisoners  of  war,  enjoy  special  protection  and 
must  be  identified  as  such  to  prevent  other  belligerents  from  identifying  and  targeting  them  as 
legitimate  military  targets. When  a  belligerent  intentionally  misuses  these  markings  and 
symbols  for  protected  persons  or  objects,  that  belligerent  is  guilty  of  perfidy.  It  is  important  to 
distinguish  perfidy  from  lawful  ruses.  A  lawful  ruse  is  “intended  to  mislead  an  adversary  or  to 
induce  him  to  act  recklessly  but  is  use  infringes  no  rule  of  international  law  applicable  in  armed 
conflict  and  doesn’t  mislead  the  adversary  into  believing  that  he  is  entitled  to  special 


60 


Schmitt,  394. 
Ibid. 


62 
63  1 


Ibid. 


’  Louis  Rene  Beres,  Religious  Extremism  and  International  Legal  Norms:  Perfidy,  Preemption,  and 
Irrationality,  Case  Western  Reserve  Journal  of  International  Law,  vol.  39:  709,  722  (2007-2008). 
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protection.”  Common,  lawful  ruses  include  decoys,  fake  operations,  camouflage  and 
misinformation.^^ 

Conducting  offensive  cyberoperations  offers  many  opportunities  for  ruses  and  perfidy. 
Being  an  active  member  on  a  network  and  transmitting  bogus  traffic  as  well  as  clandestinely 
altering  data  in  a  database  or  a  database  connected  to  a  network  can  be  used  to  transmit  or 
convey  false  information.  “Lawful  ruses  might  include  transmitting  false  data  meant  to  be 
intercepted  by  an  adversary  that  relate  to  troop  deployments  or  movements.  Another  example 
could  be  altering  an  adversary’s  database,  resulting  in  sending  messages  to  enemy  headquarters 
purporting  to  be  from  subordinate  units,  or  passing  instructions  to  subordinate  units  that  appear 
from  their  headquarters.”  However,  depending  on  how  offensive  cyberoperations  are 
implemented,  perfidy  can  occur.  “Medical  units  and  transports  may  use  codes  and  signals 
established  by  the  International  Telecommunications  Union,  the  International  Civil  Aviation 
Organization,  and  the  International  Maritime  Consultative  Organization  to  identify  themselves. 
Falsely  transmitting  such  codes  or  signals,  or  causing  an  adversary  system  to  reflect  such  false 
signals  (through  being  an  active  member  of  a  network  and  generating  bogus  traffic  or 
clandestinely  altering  data  in  a  database  or  a  database  connected  to  a  network)  would  be 
examples  of  perfidy.”  Military  planners  should  take  caution  in  being  an  active  member  of  a 
network  and  generating  bogus  traffic  or  clandestinely  altering  data  in  a  database  or  a  database 
connected  to  a  network  so  that  they  can  take  advantage  of  legal  ruses,  and  not  cross  the  line  into 
perfidy.  For  example,  using  visual  morphing  techniques  to  create  an  image  of  the  enemy’s  chief 
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of  state  informing  his  forces  that  an  armistice  or  cease-fire  agreement  had  been  signed  would  be 
a  war  crime  according  to  the  Department  of  DefenseJ*^ 

Distinction 

The  principle  of  distinction  requires  belligerents  to  “make  reasonable  efforts  to 
distinguish  between  military  and  civilian  assets  and  between  military  personnel  and  civilians, 
and  to  refrain  from  deliberately  attacking  civilians  or  civilian  assets.”  The  1977  Additional 
Protocol  I  to  the  Geneva  Convention  illustrates  the  principle  of  distinction:  “[A]  technical  term 
in  the  laws  of  armed  conflict  intended  to  protect  civilian  persons  and  objects.  Under  this 
principle,  parties  to  an  armed  conflict  must  always  distinguish  between  civilians  and  civilian 
objects  on  the  one  hand,  and  combatants  and  military  targets  on  the  other.”  Kelsey’s  analysis  of 
distinction  with  regard  to  the  use  of  offensive  cyberoperations  would  be  similar  to  the  use  of 
kinetic  weapons,  and  would  be  permissible  in  most  situations.^"^  “As  militaries  develop  plans  for 
using  cyber  weapons,  the  military  and  legal  communities  will  need  to  reinterpret  the  principle  to 
effectively  apply  it  to  cyber  warfare.  This  process  seems  relatively  straightforward  for  most  uses 

n  c 

of  cyber  weapons.” 

Dual  use  objects,  or  those  that  serve  both  military  and  civilian  objectives  such  as  rail 
lines,  power  grids,  communications  systems,  and  factories,  “qualify  as  military  objectives  subject 


™  Ibid.,  395-396. 

Ibid. 

Additional  Protocol  I  to  the  Geneva  Convention  of  12  August  1949,  and  Relating  to  the  Protection  of 
Victims  of  International  Armed  Conflicts,  Art.  57,  12  December  1977.  (Downloaded  16  November  2013  at 
http://www.icrc.org/applic/ihl/ihl.nsf/ Article. xsp?key=distinction&action=openDocument&documentId=50FB5579 
FB098FAAC12563CD0051DD7C). 

Heike  Spieker,  “Civilian  Immunity.”  Crimes  of  War:  What  the  Public  Should  Know.  Roy  Gutman  and 
David  Rieff,  eds.  (New  York:  W.W.  Norton  and  Company,  1999),  p.  84. 

Jeffrey  T.G.  Kelsey,  Note,  Hacking  into  International  Humanitarian  Law:  The  Principles  of  Distinction 
and  Neutrality  in  the  Age  of  Cyberwarfare,  Michigan  Law  Review,  vol.  106:  1427,  1437  (2008). 


75 


Ibid. 


17 


nf\ 

to  attack,  even  if  their  primary  purpose  is  not  military,  but  civilian.”  Schmitt,  like  Hollis,  takes 
a  broad  interpretation  of  dual  use  objects,  stating  “if  an  object  is  being  used  for  military 
purposes,  it  is  a  military  objective  vulnerable  to  attack,  including  computer  network  attack.  This 
is  true  even  if  the  military  purposes  are  secondary  to  the  civilian  ones.”’’  This  expansive 
interpretation  would  give  military  planners  the  flexibility  to  employ  offensive  cyberoperations 
against  the  full  array  of  dual  use  objects.  However,  some  caveats  should  be  noted.  Because 
distinction  requires  that  “make  reasonable  efforts  to  distinguish  between  military  and  civilian 
assets  and  between  military  personnel  and  civilians,”’^  offensive  cyberoperations  that  could 
cause  civilian  death  and  destruction  would  not  be  permitted  because  at  a  minimum,  international 
humanitarian  law  requires  military  commanders  to  “know  not  just  where  to  strike  but  be  able  to 
anticipate  all  the  repercussions  of  an  attack.”  For  example,  if  conducting  any  type  of  offensive 
cyberoperation  would  have  the  effect  of  disrupting  an  air  traffic  control  system  that  could 
endanger  relief  planes  or  commercial  aircraft,  “the  principle  of  distinction  would  force  the 
commander  to  evaluate  whether  such  a  plan  was  the  best  way  to  achieve  the  expected  military 
advantage  while  minimizing  the  loss  of  civilian  lives.  Again,  the  principle  would  likely  dictate  a 
change  to  the  scope  of  the  operation  to  avoid  the  threat  to  civilians. Therefore,  offensive 
cyberoperations  that  target  dual  use  objects  need  to  be  analyzed  in  the  same  way  that  dual  use 
targets  are  analyzed  when  kinetic  weapons  are  used.^^ 


™  Hollis,  at  1044. 

’’  Schmitt,  384. 

Owens,  Dam  and  Lin,  247. 

Bradley  Graham,  “Military  Grappling  With  Guidelines  For  Cyber  Warfare;  Questions  Prevented  Use  on 
Yugoslavia,”  Washington  Post,  Nov.  8,  1999,  Al. 

Kelsey,  at  1438. 

“Where  infrastructures  have  a  “dual-use”  serving  both  civilian  and  military  purposes — they  qualify  as 
military  objectives  subject  to  attack,  even  if  their  primary  purpose  is  not  military,  but  civilian.  If  that  rule  holds  for 
lO,  however,  then  militaries  may  target  virtually  all  computer  networks.  As  of  2000,  95%  of  all  U.S.  military  traffic 
moved  over  civilian  telecommunication  and  computer  systems,  and  the  trend  is  clearly  towards  greater  consolidation 
of  civilian  and  military  technology.  The  dual-use  rule  suggests,  therefore,  that  U.S.  adversaries  may  treat  all  U.S. 
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Some  commentators  (such  as  Owens,  Dam  and  Lin,  supra)  differentiate  between  the 
terms  distinction  and  discrimination.  However,  both  terms  are  essentially  synonymous. 
Discrimination  places  the  obligation  upon  belligerents  to  use  weapons  and  tactics  only  against 
combatants  and  to  avoid  non-combatants.^^  Certain  weapons,  such  as  biological  and  chemical 
weapons,  have  been  banned  by  treaty  due  to  their  indiscriminate  nature.^^  It’s  important  to  note 
that  there  isn’t  a  blanket  ban  on  all  indiscriminate  weapons  since  “the  harm  to  non-combatants  is 
minimized  through  adherence  to  the  requirements  of  proportionality.” 

Presently,  there  are  no  agreements  among  nations  banning  the  conduct  of  offensive 
cyberoperations.  Russia  has  advocated  for  an  international  agreement  that  would  ban  the  use  of 
cyberweapons  since  military  activities  are  increasingly  being  conducted  on  civilian  information 

QC 

networks.  The  United  States  has  resisted  for  such  a  call,  “arguing  that  it  was  impossible  to  draw 
a  line  between  the  commercial  and  military  uses  of  software  and  hardware.”  Leaven  and  Dodge 
argue  that  the  United  States’  response  to  cyberattack  would  be  handcuffed  by  the  restrictions  of 
an  international  treaty  as  well  as  threaten  its  leadership  in  cyberspace.  In  short,  the  prospects 
for  an  international  treaty  addressing  the  use  of  offensive  cyberoperations  appear  dim. 
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Neutrality 


A  nation  can,  under  customary  international  law,  “refrain  from  taking  part  in  an  armed 

OO 

conflict  or  war  by  declaring  neutrality  or  otherwise  assuming  neutral  status.”  Once  a  nation 
declares  its  neutrality  or  assumes  a  neutral  status,  it  is  legally  protected  from  being  attacked  or 
having  its  territorial  integrity  violated  by  belligerents  as  long  as  it  does  not  take  part  in  the  armed 
conflict  between  the  belligerents.  Walker  notes  that  “LOAC  treats  neutrals’  rights  and  duties 
differently,  depending  on  the  modality  of  warfare  and  the  part  of  the  Earth  affected,  such  as 
neutral  lands,  neutral  oceanic  waters,  the  high  seas  or  neutral  airspace.  There  is  overlap  between 
the  different  systems, an  important  point  to  note  especially  in  offensive  cyberoperations. 

Offensive  cyberattacks  that  are  carried  out  via  the  internet  are  likely  to  “involve  message 
traffic  that  physically  transits  a  number  of  different  nations.  Moreover,  it  is  entirely  possible, 
likely  even,  that  [nations  not  involved  in  hostilities]  would  be  aware  of  the  fact  that  they  were 
carrying  attack  traffic  at  all.”^^  If  the  United  States  decides  to  conduct  offensive  cyberoperations 
via  the  internet,  these  operations  will  most  likely  be  conducted  thru  servers  and  information 
pipelines  that  transit  neutral  nations,  or  at  the  very  least  through  nations  not  involved  in  the 
armed  conflict  as  belligerents.  Given  the  unique  and  ubiquitous  nature  of  offensive 
cyberoperations,  what  obligations  would  a  belligerent  have  in  not  routing  an  offensive 
cyberoperation  through  a  neutral  nation’s  routers,  servers  and  information  infrastructure?  To 
answer  that  question,  one  has  to  look  at  the  existing  governing  law. 


George  K.  Walker,  Information  Warfare  and  Neutrality,  Vanderbilt  Journal  of  Transnational  Law,  vol. 
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Walker  posits  that  the  laws  of  naval  and  air  warfare  are  perhaps  the  best  sources  of 
correlative  law  when  applied  to  the  conduct  of  offensive  cyberoperations.^^  He  notes  that  since 
the  geographic  environment  of  the  sea  and  air  and  the  virtual  environment  of  the  Internet  are 
fluid  and  that  no  nation  can  claim  sovereignty  over  vast  stretches  of  the  sea  and  air  as  well  as  the 
Internet,  naval  and  air  warfare  law  probably  are  the  best  sources  from  which  to  draw  parallels.^^ 
A  good  example  is  the  “Hague  Radio  Rules,”  a  set  of  naval  warfare  laws  that  deal  with  the 
information  transmission  “concerning  military  forces  or  operations  destined  for  a  belligerent.”^'^ 
Drawing  an  analogy,  Walker  advocates  “the  correlative  right  of  a  belligerent  that  is  aggrieved  by 
[information  warfare]  incursions  should  be  that  the  belligerent  may  take  such  actions  as  are 
necessary  in  the  context  of  a  neutral  that  is  unable  (or  perhaps  unwilling)  to  counter  enemy 
[information  warfare]  force  activities  making  unlawful  use  of  that  territory.”^^  As  a  result,  a 
nation  conducting  offensive  cyberoperations  may  put  neutral  nations  at  risk  of  attack. 

Drawing  parallels  from  others  sources  of  law  can  also  produce  a  dissimilar  conclusion. 
Owens,  Dam  and  Lin  point  out  that  under  the  Hague  Convention  of  1907  provisions  addressing 
telephone  and  telegraph  communications,  “a  neutral  Power  is  not  called  upon  to  forbid  or  restrict 
the  use  on  behalf  of  the  belligerents  of  telegraph  or  telephone  cables  or  of  wireless  telegraphy 
apparatus  belonging  to  it  or  to  companies  or  private  individuals.”  By  implication,  if  a  neutral 
nation  doesn’t  have  a  duty  to  interfere  with  the  transit  of  information  on  telephone  or  telegraph 
cables,  then  “an  analyst  might  conclude  that  belligerents  do  not  have  the  right  to  interfere  with 
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’  Convention  (V)  Respecting  the  Rights  and  Duties  of  Neutral  Powers  and  Persons  in  Case  of  War  on 
Land.  The  Hague,  18  October  1907,  (downloaded  November  29,  2013  at 

http://www.icrc. org/applic/ihl/ihl.nsf/ Article. xsp?action=openDocument&documentId=3F3777763877124FC12563 
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nodes  located  in  the  neutral  nation.”^^  While  contrary  conclusions  can  be  drawn,  there  is  still  a 
valid  justification  to  launch  offensive  cyberoperations  without  violating  a  neutral  nation’s  non¬ 
belligerent  status. 
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Recommendations 


Given  the  presence  of  an  internationally  recognized  framework  in  which  to  conduct 
military  operations,  the  United  States  should  continue  to  utilize  the  LOAC  as  a  basis  from  which 
to  conduct  the  four  types  of  offensive  cyberoperations. 

The  United  States  should  take  an  expansive  definition  of  what  constitutes  military 
necessity  in  regards  to  conducting  offensive  cyberoperations  with  the  caveat  that  protected  status 
for  objects  should  be  honored  to  the  greatest  extent  possible.  Merely  interrupting  or  turning  off 
certain  functions  for  limited  periods  of  time  can  ameliorate  proportionality  concerns.  Planners 
should  take  caution  when  designing  and  conducting  offensive  cyberoperations  so  that  ruses  don’t 
cross  the  line  into  perfidy.  Reasonable  efforts  should  be  made  to  distinguish  between  military 
and  civilian  assets  and  between  military  personnel  and  civilians.  Parallels  can  be  used  and 
interpreted  regarding  neutrality  that  will  allow  offensive  cyberoperations  to  be  used.  Offensive 
cyberoperations  can  be  used,  in  conjunction  with  the  other  theories  of  constraint,  since  no  treaty 
exists  that  bans  its  use. 

While  an  international  treaty  that  spells  out  the  limitations  of  offensive  cyberoperations 
could  prove  somewhat  helpful,  it  is  highly  unlikely  that  such  an  agreement  will  be  reached.  In 
the  absence  of  an  overarching  agreement,  the  United  States  must  look  to  existing  frameworks 
and  laws  upon  which  to  base  its  actions  and  ground  them  in  international  legitimacy.  Using 
existing  frameworks  and  laws  and  drawing  analogous,  reasonable  interpretations  of  them  will 
allow  the  United  States  to  pursue  its  national  security  objectives. 
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Conclusion 


The  LOAC  provides  an  analytical  framework  for  planners  and  legal  advisors  to  utilize 
when  considering  implementing  various  aspects  of  the  military  instrument  of  power  to  pursue 
national  objectives.  The  use  of  a  recognized  analytical  framework  lends  legitimacy  to  actions 
undertaken  by  the  United  States,  and  shows  commitment  to  recognized  rules  of  international  law. 
Given  the  present  parameters  of  the  existing  LOAC  framework,  parallel  analogies  and 
reasonable  interpretations  and  applications  of  those  analogies,  the  United  States  should 
legitimately  be  able  to  conduct  the  four  types  of  offensive  cyberoperations. 
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